Further north of JP2 is JP1. It comprises 4 solder pads. That is likely a UART port running at TTL voltage levels. A serial console can often be obtained through the UART port. It provides a way to interrupt the bootstrap process.

An el cheapo way to interface a modern PC (with no RS232 port) to the UART interface is with a clone Nokia DKU5 phone data cable. The clone DKU5 cable costs as little as £1. The cable contains an integral Prolific Logic PL2303 USB-UART bridge controller. [3] The PL2303 IC performs the voltage shift and packetises the serial bitstream into USB blocks (URBs).

Linux, and maybe Windows, has a kernel device driver for the PL2303. The driver presents the USB device as a dumb serial port. A terminal program like minicom is then used to connect to the router over the serial port.

Out of the fourteen header pins on the board, there are six candidate pins. Any of these six pins could potentially carry any of the five JTAG signals {TDO,TDI,TMS,TCK and TRST}.

Here, n is 6 (the number of candidate pins), and r is 5 (the number of JTAG signals).

So nPr = 6! / (6-5)! = 720 permutations.

However, some assumptions can be made which will radically reduce the search space.

One of the JTAG signals (TRST) is optional. TRST resets the JTAG controller when driven low. If we assume that, by default, TRST is pulled up to keep the board out of reset, it can be ignored.

Another JTAG signal (TDO) can be discovered from its floating logic state using an ohmmeter. This is very well explained by Ray “revs-per-min” Haverfield. [1]

That leaves us with just three JTAG signals to find from a choice of five header pins.

Now the scale of the problem is given by 5!/2 = 60 permutations.

That has already shrunk the search space by more than 90%.

We can now take advantage of another property of the JTAG standard. [2]

A JTAG controller will always return to its reset state when the TMS signal is asserted for five or more ticks of the TCK signal. This is illustrated in the attached diagram of the JTAG state machine.

The bit values {0,1} shown in the diagram represent the transitional states of the TMS (Test Mode Select) signal. For example, to transition the JTAG state machine from the Shift_IR state to the Exit1_IR state requires TMS to be asserted for one tick of the TCK signal.

It doesn't matter where you start in the JTAG state machine. Asserting TMS while five ticks are clocked into TCK will always see the JTAG controller returned to its Test_Logic_Reset state:

Once a JTAG device is in that reset state, the 32-bit IDCODE is loaded into the JTAG data register. This loading is done automatically. It doesn’t require any instruction to be shifted in on the TDI line.

Returning to our board. TDO was discovered earlier from its floating logic state. So what this means is that only the TMS and TCK signals need to be found at this stage. TDI can be found later.

By controlling just the TMS and TCK signals from software, the IDCODE value loaded on reset into the data register can be scanned out of the TDO pin. The TDO pin is closely monitored for output that is consistent with a device IDCODE.

Looking at this again as a combinatorial problem:

The value n remains at 5 since we still have five unknown pins. However, r, the number of signals to discover, is now just 2. These are the TMS and the TCK signals.

So nPr is 5!/3! = 20 permutations.

Using these techniques, the discovery of JTAG pinouts is trivialised.

There are software tools, such as JTAG_Finder [2] that can automate the fiddly task of swapping pins during pinout discovery. However, this is rarely necessary. Using the techniques above, the average count of pin-swaps before discovery success is reduced to a manageable number.

In summary, and using this board as an example, a total of 14 pins are reduced to 6 candidate pins. TDO is discovered with an ohmmeter. TRST is ignored. The discovery of TDI is postponed. Software (UrJTAG) is used to navigate the JTAG state machine for each permutation of TCK and TMS, chosen from the five remaining pins. Using these shortcuts, the average count of pin-swaps before discovery is reduced to just 10.